[RADIATOR] PEAP problem: EAP result: 1, EAP authentication is not permitted
Raúl Tejeda Calero
raul.tejeda at satec.es
Mon Feb 7 09:17:51 CST 2011
Hi everyone,
I have another trouble with my radiator configuration.
I ´m trying to connect my winxp client with PeAP (without "validate server certificate"), I have entered one valid user (mikem-fred 4 example) and the log shows:
Mon Feb 7 15:28:39 2011: DEBUG: Packet dump:
*** Received from <ip>port 32768 ....
Code: Access-Request
Identifier: 74
Authentic: <175><136><30><157>sd<241><177><223><155><160>$s<228>o<129>
Attributes:
User-Name = "mikem"
Calling-Station-Id = "xx"
Called-Station-Id = "xx:Prueba"
NAS-Port = 13
NAS-IP-Address = xxx.yyy.zzz.www
NAS-Identifier = "WLC-1"
Airespace-WLAN-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 509
EAP-Message = <2><2><0><10><1>mikem
Message-Authenticator = l<218>k<160><31><206><177><4>E<208><234><171>f<195><137>"
Mon Feb 7 15:28:39 2011: DEBUG: Handling request with Handler 'NAS-IP-Address=xxx.yyy.zzz.www', Identifier ''
Mon Feb 7 15:28:39 2011: DEBUG: Rewrote user name to mikem
Mon Feb 7 15:28:39 2011: DEBUG: Deleting session for mikem, <ip>, 13
Mon Feb 7 15:28:39 2011: DEBUG: Handling with Radius::AuthFILE:
Mon Feb 7 15:28:39 2011: DEBUG: Handling with EAP: code 2, 2, 10, 1
Mon Feb 7 15:28:39 2011: DEBUG: Response type 1
Mon Feb 7 15:28:39 2011: DEBUG: EAP result: 1, EAP authentication is not permitted.
Mon Feb 7 15:28:39 2011: DEBUG: AuthBy FILE result: REJECT, EAP authentication is not permitted.
Mon Feb 7 15:28:39 2011: INFO: Access rejected for mikem: EAP authentication is not permitted.
Mon Feb 7 15:28:39 2011: DEBUG: Packet dump:
*** Sending to 10.223.0.4 port 32768 ....
Code: Access-Reject
Identifier: 74
Authentic: <2>N<9>4<26><237><212>A<231><249><15>T$<129><152>[
Attributes:
Reply-Message = "Request Denied"
My running config is something like this:
# radius.cfg
#
#
#Foreground
#LogStdout
LogDir /var/log/radius
DbDir /etc/radiator
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace 4
AuthPort 1812
AcctPort 1813
BindAddress xxx.yyy.zzz.www
#WLC1 and backup
<Client xxx.yyy.zzz.www>
Client-Identifier "WLC"
Secret xxxxxxx
DupInterval 0
IdenticalClients xxx.yyy.zzz.wwx
</Client>
#Some clients...
<Client xxx.yyy.zzz.www>
Client-Identifier "sw_x"
Secret yyyyyyy
DupInterval 0
</Client>
<Handler Client-Identifier=/SWL2|CORE|FW/>
<AuthBy FILE>
Filename %D/users
</AuthBy>
# Log accounting to a detail file
AcctLogFileName %L/detail
</Handler>
#<Handler TunnelledByPEAP=1>
<Handler NAS-IP-Address="WLC-Address">
RewriteUsername s/(.*)\\(.*)/$2/
<AuthBy FILE>
<AuthBy FILE>
Filename %D/users
EAPType MSCHAP-V2, PEAP
# EAPTLS_CAFile %D/certificados/ca.pem
# EAPTLS_CertificateFile %D/certificados/serv.pem
# EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile %D/certificados/serv.key
# EAPTLS_MaxFragmentSize 500
</AuthBy>
</Handler>
Another problem (or the same, i don´t know) is the following:
If I use the handler "tunneledByPEAP=1", radiator says: Mon Feb 7 15:25:56 2011: WARNING: Could not find a handler for mikem: request is ignored
Thus, my access-request seems not tunneled by PeaP, perhaps I have configured PeAP in my WLAN and client.
Thanks for your help,
Regards,
Raúl Tejeda
More information about the radiator
mailing list